This is race between dcache shrinking triggered by umount and sysfs deletion. It seems to be introduced when dentries for attr and symlink nodes are made unpinned. sd->s_dentry clearing is done without synchronization and sysfs_drop_entry() ends up deleting already deleted dentry (dentry->inode is NULL).

### race 2

thread shrinking dcache thread looking up sysfs entry -------------------------------------------------------------------- 1. sysfs dentry for A is chosen as victim. 2. prune_one_dentry() drops the dentry and calls dentry_iput(). 3. dentry_iput() unlinks d_alias and releases spin locks. 4. looks up dentry for A which is not in dcache. 5. new dentry is created and sysfs_lookup() is invoked, which instantiates the dentry and set sd->s_dentry to it. 6. sysfs_d_iput() is called. BUG_ON(sd->s_dentry != dentry) triggers and sd->s_dentry is cleared. You're screwed.

Both races are caused by sd->s_dentry going out of sync. This patchintroduces sysfs_lock and protect sd->s_dentry with it so that...

* sd->s_dentry always points to the dentry which is looked up most recently. This is guaranteed even when dentry_iput() on the previous dentry overlaps with the lookup of the latest dentry.

* While sysfs_lock is held, the value contained in sd->s_dentry is valid. If null, no dentry is associated with the sd. If not null, the dentry is accessible and is or used to be associated with the sd. Whether the dentry is alive or not can be checked by locking dcache_lock and checking whether the dentry is positive.

This change allows syfs_drop_dentry() to reliably determine theassociated dentry and drop it. This patch also converts remove_dir()which used to use a separate drop mechanism to use the same drop path.With this change, making directories reclaimable is much easier.